Edinburgh Product Release

Improved Menus

The Smoothwall administrative User Interface has been updated to make it easier to navigate and more aesthetically pleasing. The main navigation menu has now moved from the left hand side of the page to the top; this brings the layout in line with user feedback.

There is a new style of local navigation menu which allows you to see and navigate between every item within the section. This also acts to show you where you are in the product by highlighting the tab you are under, the section you are in and the page you are on.

The context-sensitive help is now integrated within the page, allowing you to perform actions whilst reading the relevant documentation. At the top of the page the search bar has taken a more prominent position in the header area.

These changes also help support future updates to further consolidate and improve the navigation.

Improved ‘time spent browsing’ report

Filtering ‘metric’ reporting sections will now include ‘time spent’ performing a particular activity.

The summarization starts after results have been filtered, to produce a list of domains and an allocated amount of time, with other hits to the same domain. The results can be ordered by total amount of time spent per domain. This option alters how data is summarized and presented, giving a more accurate total time per domain.

Certificate Management

Man in the Middle (MITM) used for decrypting HTTPS traffic to filter its contents

Global Proxy

User facing HTTPS services (including SSL login, the portal UI and Connect for Chromebooks – does NOT include the Admin UI)

Certificate Management

It has previously been difficult to establish a single continuous chain of trust easily on a Smoothwall System. Certificates were difficult to manage, with different sources of trust necessitating export and import of many certificates, further complications were added by desynchronized certificate expiry dates.

Introducing the concept of a “default” Certificate Authority allows the System Administrator to set a CA to be used by all services under the Certificate Management system

Can be automatically generated or imported by the System Administrator using the import functionality

Generates dynamic certificates needed for all services to be trusted

Dynamic certificates are updated automatically as needed

This feature does NOT change which certificates are in use, all existing certificates will be migrated and still be used with no need for any action to be taken. Alongside migrated certificates a new default CA will be created allowing customers to chose to move to the new system.

A whitepaper will follow for further help in how to switch and use this feature.

Benefits:

Using the automatically created CA, you only need to export one certificate for all clients to trust the Smoothwall

Import a CA from AD – then all clients that trust the AD will automatically trust the Smoothwall; no export needed at all

Changing the hostname does not require a redistribution of all the certificates

Improved handling of non-SNI traffic

The SNI extension provides the domain name for a transparent HTTPS request. Unfortunately many sites do not populate it, and so only the IP address is known.

As well as the existing options of “block non-SNI traffic” or “Allow HTTPS traffic with no SNI header for the ‘Transparent HTTPS incompatible sites’” there are now two new options:

Get the name of the site from the certificate and filter based on that

Continue to allow ‘Transparent HTTPS incompatible sites’ through without further filtering but if they’re not in that list get the name from the certificate and filter based on that

Smoothwall can now filter based on the name in the certificate – no more need to exempt sites that didn’t give all the information the Smoothwall needed.

The option to enable spoofing is now shown for all transparent and non-transparent authentication policies.

With spoofing enabled, the Source NAT policy rule for “Local traffic – Guardian” will not be applied to the spoofed traffic. Spoofing ensures that traffic leaves the Guardian module with the source IP address of the client trying to reach the Internet.

Applications:

Customer wants to use bandwidth module which needs to see the client’s actual IPs rather than it just all being hidden behind Guardian

Customer has an upstream device (like a firewall) and they want it to see the IPs of the originating clients, rather than just looking like it’s coming from Guardian

Handling of traffic that matches non-spoofing authentication policies has not been changed.

Disk space estimation

The datastore settings page has been improved to show available disk space. The feature looks at the current average rate of storage of log data, and uses this to estimate the number of months until the partition is likely to be ‘full’ and auto pruning will occur.

New installation page for Decrypt and Inspect (MITM) certificate

Smoothwall offers a new page through which users can download and self install the certificate used for decrypt and inspect. Instructions give step by step guidance on installing the file on all major browsers and operating systems.

This feature is ideal for BYOD as they are not centrally managed devices and so can’t have the certificate pushed out by the sysadmin.

For security reasons the client can’t be automatically directed to the page, so it is recommended customers use their wireless system to direct, or advertise the link out.

Authentication diagnostics

New authentication diagnostics have now been added for DNS SRV records (vital to Active Directory) and TCP connection checks. Hovering over the results status symbol in the diagnostic screen now gives a brief ‘help’ on the meaning of the problem and how best to begin addressing it.

BYOD diagnostics

The process of adding BYOD devices has been simplified in Edinburgh. New tests analyze the BYOD logs for potential problems, indicating whether there are any issues preventing the BYOD authentication from working successfully.